CVE-2022-4034

HIGH Year: 2022
CVSS v3 Score
7.8
High
Weakness Type
CWE-1236
View all →

Vulnerability Description

The Appointment Hour Booking Plugin for WordPress is vulnerable to CSV Injection in versions up to, and including, 1.3.72. This makes it possible for unauthenticated attackers to embed untrusted input into content during booking creation that may be exported as a CSV file when a site's administrator exports booking details. This can result in code execution when these files are downloaded and opened on a local system with a vulnerable configuration.

Related Vulnerabilities

CVE-2018-10504

HIGH
CVSS:7.8(High)

The WebDorado "Form Maker by WD" plugin before 1.12.24 for WordPress allows CSV injection.

CWE-12362018

CVE-2018-11525

HIGH
CVSS:7.8(High)

The plugin "Advanced Order Export For WooCommerce" for WordPress (v1.5.4 and before) is vulnerable to CSV Injection.

CWE-12362018

CVE-2018-11526

HIGH
CVSS:7.8(High)

The plugin "WordPress Comments Import & Export" for WordPress (v2.0.4 and before) is vulnerable to CSV Injection.

CWE-12362018

CVE-2018-1774

HIGH
CVSS:7.8(High)

IBM API Connect 5.0.0.0, 5.0.8.4, 2018.1 and 2018.3.6 is vulnerable to CSV injection via the developer portal and analytics that could contain malicious commands that would be executed once opened by ...

CWE-12362018

CVE-2019-11819

HIGH
CVSS:7.8(High)

Alkacon OpenCMS v10.5.4 and before is affected by CSV (aka Excel Macro) Injection in the module New User (/opencms/system/workplace/admin/accounts/user_new.jsp) via the First Name or Last Name.

CWE-12362019